sftp-server: add a chroot option

Eloi Benoist-Vanderbeken eloi.benoist-vanderbeken at synacktiv.com
Thu Feb 26 21:16:55 AEDT 2026 

Hi Damien,

> Maybe for Linux a sftp-server that runs in a namespace would be more
> idiomatic? Assuming a nice way to configure and customise the namespace
> according to the user, etc.

Finding this "nice way" seems difficult. I actually contain my 
sftp-server in a namespace but I do it in a script, it's way more flexible
than a configuration file.

> Put another way: why chroot when better containment capabilities exist
> via namespaces?

Because, it will work for both linux and *bsd, particularly those with 
unprivileged chroot enabled. And it's still better than nothing :)

I can poc a quick patch that will use pivot_root instead of chroot but 
I'm not sure how to detect if I should use this syscall or not.

Kind regards,
-- 
Eloi Benoist-Vanderbeken
Synacktiv

-----Original Message-----
From: Damien Miller <djm at mindrot.org>
To: Eloi Benoist-Vanderbeken <eloi.benoist-vanderbeken at synacktiv.com>
Cc: openssh-unix-dev at mindrot.org
Subject: Re: sftp-server: add a chroot option
Date: 02/26/2026 06:46:58 AM

On Wed, 25 Feb 2026, Eloi Benoist-Vanderbeken wrote:

> Dear list,
> 
> A bit like the "sftp-server: add a flag to call unveil on starting directory" thread, I would like to add an option to chroot the sftp-server.
> 
> I am well aware that I could use ChrootDirectory with internal-sftp but that doesn't work for me. I need to setup the sftp server environment in a way that is incompatible with internal-sftp (I'm using environment variables configured in the authorized_keys file to restrict server's view of the FS).
> 
> I'm launching my patched sftp-server from an unprivileged namespace in Linux so running as "root" is not a problem nor a security concern. Moreover, chroot should also work on all openssh supported systems (to the best of my knowledge).

Maybe for Linux a sftp-server that runs in a namespace would be more
idiomatic? Assuming a nice way to configure and customise the namespace
according to the user, etc.

Put another way: why chroot when better containment capabilities exist
via namespaces?

-d

More information about the openssh-unix-dev mailing list